These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
Position | Alert | Status | Rule Type |
---|---|---|---|
1 | Information Disclosure - Suspicious Comments | release | Passive |
2 | Cross-Domain Misconfiguration | release | Passive |
3 | X-Content-Type-Options Header Missing | release | Passive |
4 | Session ID in URL Rewrite | release | Passive |
5 | Cookie without SameSite Attribute | release | Passive |
6 | Timestamp Disclosure - Unix | release | Passive |
7 | Retrieved from Cache | release | Passive |
8 | Content Security Policy (CSP) Header Not Set | release | Passive |
9 | Strict-Transport-Security Header | release | Passive |
10 | Re-examine Cache-control Directives | release | Passive |
11 | User Agent Fuzzer | release | Active |
12 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
13 | Absence of Anti-CSRF Tokens | release | Passive |
14 | Anti-clickjacking Header | release | Passive |
15 | Loosely Scoped Cookie | release | Passive |
16 | HTTP Server Response Header | release | Passive |
17 | CSP | release | Passive |
18 | Modern Web Application | release | Passive |
19 | Cookie No HttpOnly Flag | release | Passive |
20 | Permissions Policy Header Not Set | beta | Passive |